Technology You Can Trust

Administrators can assign privileges and access rights to specific users or groups, and restrict who can administer the software, view certain modules, perform packet decodes or playback media, and view user identity data (if that data is chosen to be stored).

NETSCOUT supports either local authentication or integration with RADIUS, LDAP, Windows Domain/Active Directory, Cisco ACS/TACACS, and SiteMinder.

Configuration options on both the nGeniusONE server and Smart Data platform can be used to mask different types of data, such as credit card PANs, Cell IDs/IMSI/MSISDNs, and URIs. Data can be masked while it is classified for storage, or stored but hidden from display based on user privileges (RBAC).

One of the most powerful features NETSCOUT offers is an incredibly granular ability to control exactly what is processed per application, and for some applications, per appliance and per IP address (using VIP list). Recording bytes can be set as a default for the whole server, as well as per application for full packet, no packets (just provide metrics), fully optimized (ASI for select applications using a patented process that stores substantially less data), or by packet start or application payload.

Further granularity can be configured at the appliance level to reduce the slice size stored per interface. Similar controls can be applied per application, and for certain features per interface, and for storing session records.

Administrators can configure the addresses to monitor using My Network, and by defining named communities for client, server, telephone, and “VIP” (IP, MSISDN, or IMSI) addresses. The VIP list feature includes even more granular control for grouping and packet/session storage. 

Data is protected at the classification source by limiting access using host-based access control lists.

Data on the server and appliance is aged out on a scheduled basis defined by the customer. Certain data types support independent configuration of the classification table, if desired.

All control plane communications between NETSCOUT Arbor solutions, as well as administrative connections, are encrypted via secure protocols SSH and HTTPS.

All Arbor DDoS solutions provide a built-in firewall to restrict access to authorized IP addresses only, which limits accessibility of data.

All Arbor DDoS solutions provide authentication of users by means of a local database or by means of external TACACS/RADIUS systems, thus enabling, for example, two-factor authentication mechanisms. Local password security policies can be enforced as well.

All Arbor DDoS solutions provide granular authorization mechanisms enabling system administrators to restrict access to specific product features.

All Arbor DDoS solutions provide accounting of user actions, either locally or by means of external TACACS/RADIUS systems.

Arbor DDoS solutions provide other built-in capabilities which are designed to further reduce risks associated with the data being processed:

• Arbor Sightline can be configured to limit the amount of raw flow telemetry records that are stored and set the maximum age before automatic deletion of the flow telemetry records. 
• Arbor TMS can be configured to limit the number of IP packets that can be captured per interactive capture.
• Arbor APS can be configured to limit the number of IP packets that can be captured per interactive capture and provides a way to limit the age of data stored in the system.